Our Protection Techniques Are Always Improving, But We Don't Always Say So

Dotfuscator and DashO are updated regularly, typically four or more times a year. Each release includes new features, fixes, changes, and protection enhancements. Our changelogs generally describe those features, fixes, and changes - but not the protection enhancements.

Why not? Why wouldn't we tell the world about our protection enhancements?

Because application security is like an arms race: bad actors are constantly working to find new ways to undo the protections we apply, and we are constantly working to stop them. One of the ways we help protect our customers is by not announcing most changes we make to our protection techniques. That way the bad guys don't know whether a new release is worth investigating, or if it is, where they should look. This helps ensure that our customers have a longer lead time before the bad guys even find out that they're blocked.

Historically, our policy for this was just to say nothing - no mention in the changelog at all. (We have years of changelogs with unstated protection enhancements!)

However, we've had a better idea; we've started adding a line to every changelog, linking here: This release may include protection enhancements not described here. This way, we let customers know that we are working hard to improve protection, release after release after release, without letting attackers know anything more about what we're doing.